200H, very slow IPSec VPN remote access

bbp

USG FLEX 200H, firmware V1.20(ABWV.0)

In theory, IKEv2 IPSec VPN should be faster, but on 200H it's only a third of throughput of SSL VPN. That's with AES256 and SHA256 for both phases.

If I increase SHA to 384 or even 512 and modp to 3072 it comes to a halt. Everything will time out.

It seems like hardware-accelerated encryption doesn't work as it should with IPSec VPN.

Zyxel_Emily

Hi @bbp,

Here are the official test report for your reference.

SSL VPN (OpenVPN) throughput
Using HTTP protocol to get 700M ZIP file from a server.
SSL VPN (AES) throughput on USG FLEX 200H with firmware 1.20 is around 131.2 Mbps.
(Security policy, Security services, BWM, DOS, Session control are disabled.)

Remote access VPN IKEv2 throughput
Using HTTP protocol to get 2G ZIP file from a server.
IPSec (AES) VPN Tunnel Throughput with 1 session with firmware 1.20 is around 119.5 Mbps.
Note: USG FLEX H with uOS doesn't support hardware-accelerated.

bbp

A far cry from what Zyxel advertise for 200H. This is the biggest disappointment so far for uOS and there have been many.

I do understand difference between real life and benchmark results, but getting only 1/10th of advertised performance is not right by any standard.

Zyxel_Emily

Hi @bbp,

In the datasheet, VPN throughput 1200Mbps are UDP throughput based on a combination of 64 byte, 512 byte, and 1424 byte packet sizes. (Using IXIA)

If you run the VPN throughput by downloading a ZIP file using HTTP (It is TCP, not UDP), the result 119.5 Mbps is measured with 1 session only.

Holger_AZ

https://community.zyxel.com/en/discussion/comment/66924#Comment_66924

Emily, can you please post the official test reports for the other USG devices (100H, 500H, 700H)?

Thank you

Regards, Holger